Stealing information and Exploitation

 Form grabbing
 Man-in-the-middle attacks
 DLL Injection
 Browser helper objects

Form Grabbing

Malicious technique that tries to steal authorization credentials from a web data form
before it is passed to a secure server via encrypted protocol.
A form grabber is a type of malware that captures data such as IDs and passwords from
browser forms.
The target of a form grabber is the user’s Internet banking information. Form grabbers
typically gain access as a Trojan horse.
Once running on a host machine, a form grabber detects Internet banking login
information as it is being entered into a form, along with other identifying information
that will help the software masquerade as a customer.
The form grabber often stores the stolen information for easy access and also sends it
back to a parent server, where it may be added to a database. The information may be
used immediately for banking fraud or sold to other parties.
A form grabber may be a component of a more complex piece of malware such as Hand
of Thief. Internet banking crime ware is one of the largest and fastest-growing types of
malware threats. Such malware affects most common operating systems (OS) and Web
browsers.
The method was invented in 2003 by the developer of a variant of a trojan horse called
Downloader. Barbew, which attempts to download Backdoor. Barbew from the Internet
and bring it over to the local system for execution. However, it was not popularized as a
well-known type of malware attack until the emergence of the infamous banking trojan
Zeus in 2007.
Form grabbers not only solve problems caused by typos, and copy and paste, but also
capture the names of the variables that the Web page uses to define the data.
The form grabber captured each of the variables individually, including the variables named pass and e-mail,
which require little analysis to determine that these are the user’s credentials. Additionally, the form grabber
captured the URL for which the data was destined and the title of the page to correlate the user’s credentials with
the appropriate website. These abilities make form grabbers superior to key loggers, and as such, they have
become the dominant form of credential
theft for modern malicious code. Key loggers remain the best choice for capturing data not entered into Web
forms, such as system logon passwords, since this information does not pass through form-grab-bing code. To
 grab forms, a Trojan places itself between the Web browser and the networking stack, where valuable
information passes through encryption functions before transmission.
Man-in-the-middle attacks

A man-in-the-middle attack is a type of cyber-attack where a malicious actor inserts

him/herself into a conversation between two parties, impersonates both parties and gains
access to information that the two parties were trying to send to each other. A man-in-the-
middle attack allows a malicious actor to intercept, send and receive data meant for
someone else, or not meant to be sent at all, without either outside party knowing until it
is too late.
Key Concepts of a Man-in-the-Middle Attack
 Man-in-the-middle is a type of eavesdropping attack that occurs when a malicious
actor inserts himself as a relay/proxy into a communication session between people
or systems.
 A MITM attack exploits the real-time processing of transactions, conversations or
transfer of other data.
 Man-in-the-middle attacks allow attackers to intercept, send and receive data never
meant to be for them without either outside party knowing until it is too late.
How to help protect against a man-in-the-middle attack?
With the amount of tools readily available to cybercriminals for carrying out man-in-the-
middle attacks, it makes sense to take steps to help protect your devices, your data, and
your connections. Here are just a few.
 Make sure “HTTPS” — with the S — is always in the URL bar of the websites you
visit.
 Be wary of potential phishing emails from attackers asking you to update your
password or any other login credentials. Instead of clicking on the link provided in
the email, manually type the website address into your browser.
 Never connect to public Wi-Fi routers directly, if possible. A VPN encrypts your
internet connection on public hotspots to protect the private data you send and
receive while using public Wi-Fi, like passwords or credit card information.
 Since MITB attacks primarily use malware for execution, you should install a
comprehensive internet security solution, such as Norton Security, on your
computer. Always keep the security software up to date.
 Be sure that your home Wi-Fi network is secure. Update all of the default
usernames and passwords on your home router and all connected devices to strong,
unique passwords.
DLL Injections
A DLL file is a file containing computer code that a software program executes to
perform one or more functions. A DLL injection is where code is forced to run in place
of other code. This "injected" code is usually code written by a third-party developer,
designed to perform some malicious function. It is not something the software program
was originally intended to do and can cause harm to a computer.
The Windows operating system uses dynamic link libraries (DLLs) to add functionality
to applications. DLLs modularize applications by offering precompiled libraries that all
programs share. An application using a DLL does not bundle the libraries up and include
them within its compiled code.
Injecting a DLL into another process allows an attacker to gain access to the process and
its memory. The result of a successful injec-tion is a complete compromise of the process
by providing free reign to the DLL.
Process injection is a method of executing arbitrary code in the address space of a
separate live process. Running code in the context of another process may allow access to
the process's memory, system/network resources, and possibly elevated privileges.
Execution via process injection may also evade detection from security products since the
execution is masked under a legitimate process.
Injecting Applications:

Reflective DLL injections

Reflective DLL loading refers to loading a DLL from memory rather than from disk
Browser Helper Objects

A Browser Helper Object (BHO) is a DLL that loads every time Microsoft Internet Explorer
runs. Typically, a BHO is installed by a third party program to enhance the functionality of
the web browser (many Internet Explorer plugins, for example, are BHOs). BHOs can be
installed silently, or can be installed ‘quietly’ (many users fail to read the small print that
comes with the EULA (End User License Agreement) displayed by the freeware program).
Also, because they’re programs, they can do anything that other programs can do. On top of
this, there’s no easy way to list the BHOs installed on the PC. As a result, BHO functionality
can be misused (to install adware or track browsing habits, for example).

Adware displays advertising content, often in a manner or context that may be unexpected
and unwanted by users. Adware programs often create unwanted effects on a system like
displaying pop-up advertisements and, in some instances, the lowering of either network
connection or system performance. Some adware can also collect the system's browsing
information (e.g. sites visited) and send the information to a remote server on the Internet.
The gathered information is used by a remote Web site or user for marketing purposes.

Browser Helper Objects (BHO) are plugins to the user's Web browser that may monitor or
manipulate Web surfing. In some cases the Browser Helper Object is a toolbar (BHOT).
Defense and Analysis Techniques

Memory forensics (sometimes referred to as memory analysis) refers to the analysis of

volatile data in a computer’s memory dump. Information security professionals conduct
memory forensics to investigate and identify attacks or malicious behaviors that do not leave
easily detectable tracks on hard drive data.

Volatile data is the data stored in temporary memory on a computer while it is running.
When a computer is powered off, volatile data is lost almost immediately.

A memory dump (also known as a core dump or system dump) is a snapshot capture of
computer memory data from a specific instant. A memory dump can contain valuable
forensics data about the state of the system before an incident such as a crash or security
compromise. Memory dumps contain RAM data that can be used to identify the cause of an
incident and other key details about what happened.

Why memory forensics are important?

Memory forensics is useful when analyzing criminal activity such as hackers or insider
threats. Through the practice of memory forensics, experts are supplied with runtime system
activity, such as open network connections or recently executed commands &processes.
Before programs are executed on the computer, they are loaded into the memory making the
use of memory forensics of high importance. Each program or data which is created,
examined, or deleted is stored in the RAM. This includes images, all web-browsing activity,
encryption keys, network connections, or injected code fragments. In many instances, certain
artifacts can only be found in the RAM, such as open network connections present during the
time of the crash. Attackers can develop malware which only resides in the memory, rather
than the disk, making it virtually invisible to standard computer forensic methods. This
makes the need of memory forensics tools in high demand.

The common methods of firewalls and anti-virus tools do not have the ability to detect
malware or critical data through the RAM. The best and complex tools have the ability to
identify malware, rootkits, and zero days in the RAM.

Without the use of memory forensics, experts will be unable to collect all the pieces of
evidence. It is important for all experts to take training exercises so they don’t leave the
important evidence behind. The importance of memory forensics cannot be stressed enough,
especially when collecting evidence in an attack and finding the attacker. The examination of
volatile data found only in the RAM, offers insight to experts they would otherwise not have.
Many open source projects include memory forensics tools.
This is useful because of the way in which processes, files and programs are run in memory,
and once a snapshot has been captured, many important facts can be ascertained by the
investigator, such as:

 Processes running
 Executable files that are running
 Open ports, IP addresses and other networking information
 Users that are logged into the system, and from where
 Files that are open and by whom

Memory Forensics: Acquisition Methods

Common methods and formats that are used today:

 RAW Format – Extracted from a live environment

 Crash Dump – Information gathered by the operating system
 Hibernation File – A saved snapshot that your operating system can return to after
hibernating
 Page File – This is a file that stores similar information that is stored in your system
RAM
 VMWare Snapshot – This is a snapshot of a virtual machine, which saves its state as
it was at the exact moment that the snapshot was generated

 Memory forensics is the integral part of forensics analysis.

 Sometimes evidence can be resident only on physical memory.
 It must be used to defeat anti-forensic techniques.
 Evidence found in in physical memory can be used to reconstruct crimes:
 Temporal (when)
 Relational (who, what, where)
 Functional (how)